A couple of sites I host on a Snow Leopard Server got hacked and they replaced the index page with one of their own. I cleaned it up and the came back and left a page that said something like, "Fatal Error ownz you !"

I had left an open vnc connection to the machine over the internet and I suspect this is the means they used to gain access to the machine. I replaced the damaged files and shut off remote management and control.

Anyone have experience with this? Anything else I should do? Running a Clamav scan right now on the whole machine to see if they left anything behind. No real damage, but it's a pain in the butt. Any help is welcome.

Close the whole they used to get in (VNC over the internet, are you serious?)

Just because no virus is picked up, it doesn't mean that they have not compromised the box's security in other ways.

Seriously, if you are owned, the only way to be sure is to wipe/reinstall/patch (before exposing to the internet) and restore (data only) from known clean backup.

Until you can verify the hole they used to exploit you (could be a web-app you are running and not specifically an OS problem) you will continue to get hacked (it's probably an automated scan and compromise tool, not even a human).

You will need to audit whatever you are exposing to the internet and close the holes, but VNC for a start is an extremely bad idea. That should be firewalled and not exposed to the internet, definitely.

A hacker, identified by his handle s4r4d0, got into the district web server and changed the coding on most of the pages to show a simple white webpage with the phrase, "Fatal Error ownz you ! by s4r4d0." The hacker is from Brazil.
That person, and at least one other, hack websites around the world under the group name Fatal Error, according to multiple posts made in internet forums related to hacking and fixing hacks.
s4r4d0 has posts on multiple hacking websites online claiming credit for numerous hacks, and states he or she has authored scripts - essentially a program that can change information in other programs - for several content management systems.

I'd like to make a suggestion, it is just my opinion, and it is free, so you get what you pay for it, but if I were you I would first VPN (encrypted) into my local LAN from the Internet and then run VNC from the VPN connection instead of opening VNC to the Internet. I believe this is much more secure as VPN requires strong authentication and does strong encryption, making the VNC traffic secure.